Think of GDPR as the rulebook for data.
It’s the UK and EU law that says how organisations must treat people’s personal information. If you collect, store, or use details about anyone — customers, staff, or suppliers — GDPR applies to you.
The bottom line:
GDPR isn’t about endless paperwork. It’s about respect: collect less, protect it properly, and be upfront about what you’re doing with it.
What Counts as Personal Data?
It’s more than just names and emails. Personal data is anything that can identify someone, such as:
• Name, email, phone number, address
• Bank or card details
• ID numbers
• Location data or IP address
• Health, biometric, or genetic info
• Opinions or notes linked to a person
The Six Principles You Must Follow
Handle data with these golden rules:
1. Be lawful, fair, and transparent — tell people clearly what you’re doing.
2. Limit purpose — only use data for the reason you collected it.
3. Minimise — collect only what’s needed.
4. Keep it accurate — correct or delete errors.
5. Limit storage — don’t hoard data forever.
6. Keep it secure — protect against leaks or hacks.
People’s Rights Under GDPR
Individuals get strong powers over their data. They can:
• See what you hold (access).
• Fix mistakes (rectify).
• Ask for deletion (“right to be forgotten”).
• Pause your use (restrict).
• Say no to marketing (object).
• Take their data elsewhere (portability).
• Be told what’s happening (inform).
• Challenge automated decisions (like credit scoring).
You normally have 1 month to respond (up to 3 months if it’s complex).
Lawful Reasons to Use Data
You need a valid reason to process personal data. The main ones:
• Consent — the person agrees.
• Contract — you need it to deliver a service.
• Legal duty — required by law.
• Vital interests — protect someone’s life.
• Public task — official duties.
• Legitimate interests — genuine business needs (if they don’t override people’s rights).
Your Obligations as a Business
Even without an IT team, you must:
• Keep a record of what you collect, why, and how long for.
• Publish a clear Privacy Notice.
• Secure data (passwords, backups, locked cabinets, antivirus).
• Check suppliers follow GDPR — and include it in contracts.
• Collect the minimum info needed.
• Train staff so they know the basics.
When Things Go Wrong (Breaches)
If personal data is lost, stolen, or exposed:
• Report it to the ICO within 72 hours (unless risk is very low).
• Tell affected people quickly if it’s serious.
• Keep a log of all breaches, even small ones.
Do You Need a Data Protection Officer (DPO)?
Most small firms don’t. You only must appoint one if you:
• Handle lots of sensitive data (health, religion, biometrics).
• Do large-scale monitoring of people.
• Are a public authority.
Sending Data Abroad
If you transfer data outside the UK/EU (like using US cloud services), you must use approved safeguards (such as standard EU contracts or certified providers).
The Risk of Fines
GDPR fines can be:
• Up to €10m or 2% of turnover for record-keeping/security issues.
• Up to €20m or 4% of turnover for breaking principles, ignoring rights, or dodgy transfers.
For most small firms, fines are lower — but still painful.
Practical Steps for Small Businesses
- Write a simple Privacy Notice for your website and contracts.
- Keep a data register (what you collect, why, how long).
- Use secure storage (passwords, encrypted USBs, locked files).
- Have a breach plan (who to tell, how to respond).
- Train staff — don’t share without a good reason.
- Review third-party providers (IT, accountants, cloud apps) and get GDPR agreements.
Key Takeaway
GDPR isn’t about drowning in paperwork. It’s about trust. Collect less, secure it properly, and be honest with people about how you’re using their information. For most small businesses, that means good records, clear communication, and basic security.
At The Cyber Workshop, our courses break down regulations like GDPR into practical steps you can follow — no jargon, no legal waffle, just actions that make sense.
Till next time,
Good data handling isn’t just a legal box-tick — it’s good business.
